After integrating Okta for vCenter authentication, users encounter the error "com.vmware.vcenter.trustmanagement.error:Failed to retrieve WS1 settings store" on the identity provider page.
search cancel

After integrating Okta for vCenter authentication, users encounter the error "com.vmware.vcenter.trustmanagement.error:Failed to retrieve WS1 settings store" on the identity provider page.

book

Article ID: 404115

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction




Symptoms:

  /var/log/vmware/trustmanagement/trustmanagement-svcs.log shows repeated errors like "Could not obtain master credentials" and "Failed to get a access token on host".

[YYYY-MM-DDTHH:MM:SS] [ws1bTLSCertExpiryCheckerScheduler-1 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.TenantInitializer  opId=] Could not obtain master credentials. Checking broker availability. Original exception was: Failed to read from HVC Settings Store WS1 namespace
...
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Failed to read from HVC Settings Store WS1 namespace
Caused by: com.vmware.vcenter.trustmanagement.impl.InternalException: Failed to get settings from namespace ws1
[YYYY-MM-DDTHH:MM:SS] [pool-2-thread-1 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Failed to get a access token on host aus-vmprod310.company.pvt for tenant HWS
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Failed to read from HVC Settings Store WS1 namespace
Caused by: com.vmware.vcenter.trustmanagement.impl.InternalException: Failed to get settings from namespace ws1


  /var/log/vmware/vpxd/vpxd.log shows errors like "Couldn't find the SAML token due to token expiry" and "AcquireToken exception: Invalid credentials".

[YYYY-MM-DDTHH:MM:SS] info vpxd[] [Originator@ sub=vpxLro opID=<OPID>] [VpxLRO] -- BEGIN lro- -- SessionManager -- vim.SessionManager.loginByToken -- <ID> 
[YYYY-MM-DDTHH:MM:SS] [Originator@ sub=MoSessionMgr opID=<OPID>] [SessionManagerMo::LoginByToken] Couldn't find the SAML token due to N9SsoClient14ParseExceptionE(The token has expired at: [YYYY-MM-DDTHH:MM:SS])
...
[YYYY-MM-DDTHH:MM:SS] error vpxd[2227858] [Originator@6876 sub=UserDirectorySso opID=4b088529] AcquireToken exception: N9SsoClient27InvalidCredentialsExceptionE(Authentication failed: Invalid credentials)
[YYYY-MM-DDTHH:MM:SS] error vpxd[2226042] [Originator@6876 sub=UserDirectorySso opID=3276dbcf] AcquireToken exception: N9SsoClient27InvalidCredentialsExceptionE(Authentication failed: Invalid credentials)
...




Cause

The issue is attributed to a certificate configuration discrepancy within the vCenter Server's trust management framework, specifically when integrating with external identity providers.Potential contributing factors include:

  • Certificate expiration within vCenter's trusted root store or machine SSL certificates.
  • Inadequate permissions on certificate files, compromising trust establishment.
  • Mismatched trust between vCenter and the external identity provider.

Resolution

To resolve this issue, run the vCert script to review vCenter certificates and fix any configuration issues, including expired certificates. Running vCert will help identify and replace the expired certificate.

Refer KB -- vCert - expired certificate replacement script

Powered by Wolken Software